HackDig : Dig high-quality web security articles for hacker

Bad Rabbit Ransomware Spreads via Network, Hits Ukraine and Russia

2017-10-24 19:45

A ransomware campaign is currently ongoing, hitting Eastern European countries with what seems to be a variant of the Petya ransomware dubbed Bad Rabbit (which we detect as RANSOM_BADRABBIT.A). Users of Trend Micro products with XGen Security detect this ransomware as TROJ.Win32.TRX.XXPE002FF019. The attack comes a few months after the previous Petya outbreak, which struck European countries back in June.

Initial reports peg the main targets so as transport systems and media outlets in Ukraine and Russia. The Ukranian arm of CERT (CERT-UA) has also issued an advisory warning of further potential ransomware attacks.

Initial Analysis

 Figure 1: Bad Rabbit ransom note showing the installation key

Figure 1: Bad Rabbit ransom note showing the installation key

Our initial findings report that Bad Rabbit spreads via watering hole attacks that lead to a fake Flash installer “install_flash_player.exe”. Compromised sites are injected with a script that which contains a URL that resolves to hxxp://1dnscontrol.com/flash_install,  which is inaccessible as of the time of publication. We’ve observed some compromised sites out of Denmark, Ireland, Turkey, and Russia where it delivered the fake Flash installer.

 Figure 2: Code showing the injected script

Figure 2: Code showing the injected script

Once the fake installer is clicked, it will drop the encryptor file infpub.dat using the rundll32.exe process, along with the decryptor file dispci.exe. As part of its routine, Bad Rabbit uses a trio of files referencing the show Game of Thrones, starting with rhaegal.job, which is responsible for executing the decryptor file, as well as a second job file, drogon.job, that is responsible for shutting down the victim’s machine. The ransomware will then proceed to encrypt files in the system, as well as display the ransom note which is seen above.

A third file, viserion_23.job, is used to reboot the target system a second time, after which the screen is locked and the following note displayed:

 Figure 3: Bad Rabbit ransom note displayed after system reboot

Figure 3: Bad Rabbit ransom note displayed after system reboot

From our initial analysis, Bad Rabbit will drop a copy with the name (orig).DAT in the network via a dictionary attack using the Windows Manage Instrumentation (WMI) component, allowing it to spread to other computers in the network.

Among the tools Bad Rabbit incorporates is the open-source utility Mimikatz, which it uses for credential extraction. We have also found evidence of it using DiskCryptor , a legitimate disk encryption tool, to encrypt the target systems.

Mitigation and Best Practices

Users can mitigate the impact of ransomware such as Bad Rabbit through the use of the best practices found in this guide.

Trend Micro Solutions

Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen™ protects against today’s purpose-built threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities, and either steal or encrypt personally-identifiable data. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Further information about Trend Micro solutions can be found in this article.

The following SHA256 hashes are related to this threat:

  • 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da (RANSOM_BADRABBIT.A)
  • 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

Source: /gP-RZ6oD3Th/3~/golBerawlaM-itnA/r~/moc.orcimdnert.sdeef

Read:1919 | Comments:0 | Tags:Malware Ransomware Bad Rabbit

“Bad Rabbit Ransomware Spreads via Network, Hits Ukraine and Russia”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud